I recently attended two classes which are part of the so called 'career track' offered by guidance software. Included in that career track is the EnCE.

The first of the two classes was EnCase Intermediate Analysis and Reporting which is said to cover all that you need to know to pass the EnCE. It's a 4 day course which shows you really all the possibilities EnCase gives you to make your life easier and get results quicker. I already had some experience with the software and got basicly the same results doing it my way - but at the expense of at least twice the time for getting the results and even more time needed to compile the reports.

The second class was EnCase Advanced Computer Forensics. During that 4 day course you go over the internals of different partition types, filesystems, operating system artifacts etc. The 4 days are really charged, sometimes it was difficult to follow (for me especially when the instructor talked about systems I really know nothing about like Mac File Systems), but everything is explained in depth in the course books so you can go over it again.

If you are working with encase I can recommend both courses. I did the courses in Pasadena (at the headquarter of guidance), both instructors knew what they talked about, just the classroom was a bit noisy from the air condition and would need some windows.

Now just waiting to do the other 2 courses (Advanced Internet Examination and Live Forensic Investigation), perhaps in september, and after that - hopefully - passing the EnCE

Just wondering if anybody knows if they audit people for experience? I know someone brand new to forensics who just got his EnCE without having ever done a real forensics investigation and with only a background in cutting and pasting firewall rules.

They just ask you if you have some experience but there is no need for any special evidence for that.

The certification consists of two parts, a theoretical (multiple choice) test and a practical.

I think that possibly you can pass the theoretical part by just studying the offical study guide, but for the practical you need to know what you are doing (or at least know somebody who does !). You'll get a case-file on CD and have to answer questions about that case within 60 days. Sure you can try to answer every question by looking up the manuals (a bit tedious)...

And what do you get that way ? First time you'll have to do a real case you'll be caught.

I'm not really concerned about it for myself, I have plenty of experience analyzing systems and forensic images. I just was wondering if the cert was getting watered down, it must be if people with no experience are getting it.

yeah the practical is a great idea, the main thing is that you want to stop bootcamp/training companies from sending in their people to take repeated attempts until they've memorized most of the test ala TestKing. Thats really what waters down certs.I'm supposed to be taking the Ence intermediate course, whatever replaced IFRAD, next year so I will eventually be getting the cert sometime.